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, Abstract. We use an embedding of the symmetric dth power of any algebraic 

curve C of genus g into a Grassmannian space to give algorithms for working 
with divisors on C, using only linear algebra in vector spaces of dimension 
' 0{g), and matrices of size 0(g 2 ) X O(g). When the base field fc is finite, or 

►7- i if C has a rational point over k, these give algorithms for working on the 

^ J , Jacobian of C that require 0(</ 4 ) field operations, arising from the Gaussian 

elimination. Our point of view is strongly geometric, and our representation 
of points on the Jacobian is fairly simple to deal with; in particular, none 
of our algorithms involves arithmetic with polynomials. We note that our 
algorithms have the same asymptotic complexity f or gen eral curves as the 



more algebraic algorithms in Hess' 1999 Ph.D. thesis [Hel|, which works with 
function fields as extensions of k[x]. However, for special classes of curves, 
Hess' algorithms are asymptotically more efficient than ours, generalizing other 
known efficient algorithms for specia l classes of curve s, su ch as hyperelliptic 
curves 10, superelliptic curves [ |GPS[ , and C a f, curves [HSy ; in all those cases, 
one can attain a complexity of 0(g 2 ). 

in 
o 

< T^) ■ 1. Introduction 

i-pH I Let C be a smooth algebraic curve of genus g over a field fc, and assume for 

simplicity in this introduction that C has a rational point over fc. When g = 1, C 
is an elliptic curve, and can be represented as a plane cubic; this is the Weierstrass 
model. In that case, the group law on C is easy to describe and to implement, and 
has led to many effective algorithms in cryptography that make use of the difficulty 
. of solving the discrete logarithm problem in the group of fc-rational points of C 

when A; is a finite field. If the genus of C is larger, then one can try to work with 
the group law on the Jacobian of C . If C admits a morphism of small degree to 
P 1 (for instance, if C is hyperelliptic), and if the genus g is large compared to the 
order of fc, then subexponential algorithms are known for the discrete logarithm on 



the J acobi an; see [ AdMH ] for hyperelliptic curves, [GPS] for superelliptic curves, 
and [Hel| for general curves. Computing in the Jacobian of a large genus curve is 
nonetheless of intrinsic interest. 

One problem is that for large g, the Jacobian is somewhat difficult to describe 
directly as an algebraic variety. For instance, if one wishes to embed the Jacobian 
into projective space, the standard way is to take a very ample line bundle (say, 3 
or 4 times the theta-divisor) , which leads to an embedding of the Jacobian into a 
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projective space of exponentially large dimension (e.g., 3 9 — 1 or A 9 — 1). This is not 
practical for explicit computations, especially as the equations defining the group 
law on the Jacobian will probably be similarly intractable. The other way to deal 
with the Jacobian is to use the fact that it is essentially an ideal class group attached 
to the function field of C; a divisor is a certain kind of ideal, and linear equivalence 
between divisors is equivalence in the ideal class group. Thus one works directly 
with divisors (or ideals) on C, and spends time mostly on finding appropriate 
elements of the function field in order to reduce divisors to a canonical form modulo 
linear equivalence. If the curve C is hyperelliptic, this is relatively easy, since the 
Jacobian is analogous to the ideal class group of a quadratic field; questions about 
the Jacobian can be translated into questions about binary quadratic forms over 
the polynomial ring k[x]. This allows one to implement the group operations on the 
Jacobian of a hyperelliptic curve in "time" proportional to g 2 , as in O. By this 
we me an th at th e algorithms require 0(g 2 ) operations in the field k. The articles 
|GPS and | HS give 0(g 2 ) algorithms for a wider class of curves, the superelliptic 



and C a b curves, using more sophisticated techniques to work with the ideal classes; 
the implied constants are however quite large, and there is some possibility that 
they could grow with the genus g. As for a general curve of genus g, there are 



algorithms by F. Hess (sec [Hel and |He2|), which both implement the group 



operations in the Jacobian, and determine its group structure over a finite field. 
Hess' algorithms begin with a map of degree n from the curve C to P 1 , and work 
with ideals in the function field of C, viewed as a degree n extension of k[x\. If n is 
fixed or bounded, then Hess' algorithms require 0(g 2 ) field operations to implement 
the group law on the Jacobian. This generalizes the previously mentioned results on 
hyperelliptic, superelliptic, and C a b curves. However, the minimum possible n for a 



general curve of genus g is approximately g/2 (see [GH , p. 261). In this case (and, 
more generally, for n = O(g)), the complexity of Hess' algorithms rises to 0(g A ) 
field operations per group operation in the Jacobian. Besides Hess' algorithms for 
general curves, we note two earlier geometric algorithms that are due to Huang and 



Ierardi [HI] and Volcheck Q. Both algorithms rely on a description of C as a plane 



curve with singularities, and the steps can become fairly involved (approximately 
0(g 7 ) field operations are needed per group operation in the Jacobian). 

In this paper, we give a set of straightforward geometric algorithms for the 
Jacobian of C that involve only 0(g 4 ) field operations. Moreover, our algorithms 
are quite simple to implement, as they only involve linear algebra (row reduction) on 
matrices of size 0(g 2 ) x 0(g), and in vector spaces of dimension 0(g). In particular, 
no polynomial algebra is ever used explicitly (a fortiori, no Grobner bases or field 
extensions either). One can however argue that the representation of C that we 
use implicitly works with quadratic polynomials in 0(g) variables. Specifically, 
we take a line bundle £ on C, whose degree N is approximately 6g, and work 
with the projective representation of C arising from H°(C,C). In our setting, the 
homogeneous ideal defining C is generated by quadratic polynomials (elements of 
Sym 2 H°(C,£)), which can be thought of as the kernel of the multiplication map 

(1.1) /i : H (C,£)®H°(C,£) -> Sym 2 H°(C, £) -> H a (C,£® 2 ). 

We note that the dimensions of the vector spaces H°(C, £) and H°(C, £® 2 ) are both 
O(g), being approximately bg and llg, respectively. Then \i can be described in 
terms of any suitable bases for these vector spaces. This article does not present any 
new ideas on how to efficiently construct curves C represented in the above form, 
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and, what is more, how to construct curves along with some nontrivial elements of 
their Jacobians. Nonetheless, the first question is easy to answer in principle: for 
example, choose a polynomial f(x,y) which describes a plane curve with singular- 
ities that is a projection of C, and which passes through a given nonsingular point 
Po such as (0 , 0); then we can let C = Oc(NP Q ), and use the algorithms of [ Hel| 
and of [ He2| ] (or perhaps those of [ HI | or of Jv[) to compute the global sections 
of C and of £® 2 , and hence the map /i. This must only be done once, in obtaining 
the initial description of C in the form suitable for our algorithms. As for the sec- 
ond question above, we have not come up with any interesting methods to produce 
divisors on our curve C, corresponding to nontrivial points on the Jacobian. The 
best that we can do is to suggest choosing the plane curve to pass through a small 
number of given points P±, . . . , P n , with n small compared to g. Then we can obtain 
divisors generated by the P±,...P n , but these divisors may not be "typical," for 
all we know. Another topic that we have not addressed (but which is covered in 
|Hel| ) is the question of efficiently computing the order, or, even better, the group 
structure, of the Jacobian over a finite field. 

The basic forms of our algorithms, given in Section |J, are fairly easy to describe 
and to understand. The algorithms involve only subspaces of the two vector spaces 
H°(C,£) and H°(C,£® 2 ) and the map /x, and require one to solve various systems 
of linear equations in this setting. In Section and to a lesser extent in Section || 
we give some faster, but slightly more complicated, algorithms for working with 
divisors on C and with the Jacobian, including an algorithm that essentially solves 
the general Riemann-Roch problem for a divisor (written as a difference of effective 
divisors) D\ — D 2 in time 0(max(<?, deg D 1: deg D 2 ) 4 )- These faster algorithms still 
require time 0(g 4 ), but work with vector spaces of smaller dimension; for example, 
we can get away with taking the line bundle C to have degree approximately 3c/, but 
then need to work (implicitly) with polynomials of higher degree in the projective 
embedding of C. Nonetheless, the structure of our faster algorithms is virtually 
identical to that of the basic forms of our algorithms. Our results follow from three 
main insights: 



1. We use a simple representation for effective divisors D on C, in terms of the 
projective embedding given by the line bundle C above. Namely, so long 
as the degree d of D is small compared to that of C, we can identify D 
uniquely by the linear subspace Wp of projective space that is spanned by 
D (in a way that makes sense even if D has points of multiplicity greater 
than 1). Dually, we represent D by the space Wd C H°(C\C) consisting of 
global sections s S H°(C,C) that vanish at D. Since the effective divisor D 
corresponds to a point on the symmetric power Sym C, we are essentially 
working with an embedding of C into the Grassmannian parametrizing codi- 
mension d subspaces of H°(C, C). As discussed in Section || below, this is 
much better than passing to a projective model of Sym d C using the Pliicker 
embedding. Perhaps other computational issues in algebraic geometry can 
become simpler if one is willing to work more extensively with Grassman- 
nians and linear algebra, instead of always sticking to projective space and 
polynomials. The author hopes that this article will promote further inves- 
tigation into the topic. 

2. We no longer insist on reducing divisors to a canonical form, but instead 
represent an element of the Jacobian as an effective divisor of a certain 
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degree d > g + 1. The basic form of our algorithms in Section |] can use any 
d > 2g + l, and an improvement in Section || uses d > g+l. It is quite doable 
to bring this down to d — g, but at the expense of some complications in the 
algorithms. As a result, a given element of the Jacobian can be represented 
by many different subspaces Wd, where only the linear equivalence class of 
D is well-defined. We of course give an algorithm to determine when two 
divisors represent the same point in the Jacobian; it also takes time 0(g A ). 
(More precisely, our algorithms take time 0(max(d, g) 4 ), in case someone 
should wish to work with divisors of extremely large degree.) 
We work in terms of multiplication of sections of line bundles, as well as a 
form of division (Lemma 2.2 and Lemma/ Algorithm [2.3| ). This amounts to 
working directly in the projective coordinate ring of C, instead of the full 
polynomial algebra of the projective space in which C lies. This produces 
a substantial time savings, since for fixed i « g, the space of degree I 
polynomials has dimension 0(dim V e ) = 0(g l ) 7 while the restriction of such 
polynomials to C is the space H°(C, whose dimension is 0(£g). More- 

over, the multiplication and division operations are the basis of our addition 
and flipping algorithms (Theorems/ Algorithms |3~6| and 3.10), which are fun- 
damental to our work. The flipping algorithm is especially important: given 
a divisor D on C, and a hyperplane containing D, it allows us to find the 
"complementary" divisor D' such that D + D' is the intersection of C with 
the hyperplane in question. The algorithm is inspired by geometric consid- 
erations, as explained in the discussion preceding Theorem/ Algorithm |3.10 . 
The flipping algorithm is what allows us to pass to divisor classes; for ex- 
ample, flipping twice with respect to different hyperplanes replaces D with 
another divisor linearly equivalent to it. 



We conclude this introduction by pointing out the connection between our way 
of representing divisors, and the way in Cantor's algorithm for hyperelliptic curves; 
it should be possible to say something similar for superelliptic and C a b curves. For 
simplicity, we restrict to the case where k does not have characteristic 2, and so 
consider a curve C : y 2 — f{x), where f(x) £ k[x] has degree 2g + l. Then a reduced 
(effective) divisor D of degree d < g is represented in Cantor's algorithm by the 
pair of polynomials {a(x), b(x)), with a{x) monic of degree d, b(x) of degree at most 
d—1, and b{x) 2 = f(x) (mod a(x)). If we factor a(x) = Yl^x — Xi), possibly with 
some repeated Xi, then D is the sum of the points (xi, b{xi)) on the curve. On the 
other hand, in our representation, we choose a line bundle C and represent D by the 
global sections of C vanishing at D. We can take C = Oc{NPoo), for N > 3g + 1, 
where is the "point at infinity" with Vp oa (x) = 2 and vp oo {y) =2^+1. To 
simplify, we shall take N = 2m to be even. Then a basis for H°(C, C), arranged in 
increasing order of pole at P^, is {1, x, x 2 , . . . , x 9 7 y, x 9+1 ,xy, x 9+2 ,x 2 y 7 . . . , x m }. 
Those sections that vanish at D are then of the form p(x)a(x) + q(x)(y — b(x)), 
where degp(x) < m~ d and deg q{x) < m — 1 — g. Our working with these sections 
using linear algebra can be thought of as performing polynomial operations on a(x) 
and b(x), but with a bound on the degree of intermediate results. (Of course, 
our algorithms also work in a more general setting.) An alternative way to deal 
with the above is to consider the affine curve C — Pq; its affine coordinate ring is 
k[x, y]/(y 2 — f{x)) = k[x] © k[x]y, and the elements vanishing at D form an ideal 
generated (even as a k[x] module) by the two elements a(x) and y — b(x). 
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2. Embedding the symmetric power of a curve into a Grassmannian 

Let X be an algebraic variety over a field fc; for the moment, we take k to 
be algebraically closed. It is standard to try to embed X into projective space by 
choosing a very ample line bundle £ on A, and using C to get an embedding of X 
into P(H°(X, £)). Here P(V) is the projective space that parametrizes codimension 
one subspaces of V. The standard embedding associates x € X to the subspace 
{s G H°(X, C) | s vanishes at x}. More generally, one can try to embed X into a 
Grassmannian variety, using a suitably positive rank d vector bundle £ . We then 
associate to x S X the analogous subspace W x of global sections of £ vanishing 
at x. Under suitable hypotheses, this gives us an embedding ip : X — > Gd(V), 
where Gd(V) parametrizes codimension d subspaces W of V. The map tp can be 
composed with the Pliicker embedding Gd(V) — > P(/\ d V) to obtain an embedding 
of X into projective space. For practical purposes, this may be unhelpful, as the 
dimension of A d V is ( "5 ) -dimensional, which is significantly greater than dimU 
once d > 2. If moreover d increases with dimU, the growth in the dimension can 
be exponential; for example, ( 2 ^) grows roughly as 4 n /y / 7rn by Stirling's formula. 
This suggests that we would be better off working with subspaces of V, and doing 
explicit calculations using linear algebra, instead of passing to a possibly exponential 
number of explicit projective coordinates via the Pliicker embedding. The case that 
interests us most is when X is the dih symmetric power Sym d (C) of a curve C. We 
shall embed Sym (C) into a certain Grassmannian without explicitly mentioning 
vector bundles. The alert reader will see that we are essentially working with the 



Quot scheme by hand (see Section 8.2 of |BLR|). 

Let g be the genus of C, take d > 1, and fix once and for all a line bundle C 
on C of degree N > 2g + d > 2g+ 1. The Riemann-Roch theorem implies that the 
space V = H°(C) = H°(C, C) has dimension N + 1 — g, and C gives an embedding 
of C into P(V) = P w_9 . In fact, a well-known theorem by Castelnuovo, Mattuck, 
and Mumford states that this embedding of C is projectively normal, and there is 
an even stronger theorem due to Fujita and Saint-Donat, which states that if in 
fact N > 2g + 2, then the ideal of C is generated by quadrics (B, Section 1.1). 
Now a point on Sym d (C) can be identified with an effective divisor D = ^ p mpP 
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on C, of degree d = mp; we associate to D the subspace Wd given by 
(2.1) W D = H°(£ -D)cV = H°(C). 

Thus Wd consists of the global sections s of C vanishing at D (i.e., s vanishes at 
each P to order at least mp). Note that we are freely abusing notation by often 
failing to distinguish between line bundles and divisors, and by referring to tensor 
operations on line bundles additively when it suits us; it would be more standard 
to write Wd — H° (£(— D)) . Due to the condition on the degree N, the line bundle 
C — D is nonspecial and has no base points, so Wd has codimension d in V, and 
we can recover D from Wd ■ We summarize this discussion in the following lemma, 
while noting incidentally that the argument also extends to the trivial case d = 0. 

Lemma 2.1 (Representation of divisors). Let C be an algebraic curve of genus 
g, and let C be a line bundle on C of degree N. Let D — ^mpP be an effective 
divisor on C of degree d (we allow D to be empty, in which case d = 0). Let 
W D = H°{£ - D) C H°(C) = V. Then if d < N — 2g + I, it follows that W D 
has codimension d in V . If furthermore d < N — 2g, then H°(C — D) has no base 
points, in the sense that H°(C — D — P) C H°(C — D) for all points P of C . In 
that case, the multiplicity mp can be recovered by noting that mp is the minimum 
order to which any section s £ Wd vanishes at P ( viewing s as a global section of 
£). 

Proof. This follows immediately from the Riemann-Roch theorem. □ 
Thus the map D i— > Wd is injective, and allows us to view Sym d (C) as a subset 



of Gd(V). For TV large compared to d and g, Theorem 8.2.8' of |BLR] guarantees 
that this injection of points is an embedding of varieties; we suspect that this holds 
in our setting, but have not checked the matter further, as we do not need this 
fact. Another way to view this map is via the embedding of C into P(V) given by 
our choice of C. Given a degree d divisor D on C, then its points span a certain 
d-dimensional subspace W D of the dual space V* (now identifying points of P{V) 
with nonzero elements of V* up to multiplication of scalars). Assuming that the 
multiplicities in D are all at most 1 (i.e., that D = ^2 t Pi for distinct Pi can be 
viewed as a reduced scheme), then W D is precisely the annihilator of Wd with 
respect to the pairing between V and V* . If D has some higher multiplicities, we 
can still make sense of this last statement by understanding W D to be spanned not 
only by P, b ut by the mpth infinitesimal neighborhood (i.e., osculating plane) of 
P on C (see [ GH |, pp. 248 and 264). We shall interchangeably use W D to refer to 
the d-dimensional subspace of V* and to the corresponding (d— l)-plane in P(l^). 
In this point of view, the fact that H°(C ~ D) has no base points means that the 
points of D are linearly independent (even including multiplicity), and that the 
plane W D intersects C precisely in the divisor D. This gives another way to see 
the injectivity of the map D t— > Wd ■ 

So far, we have worked over an algebraically closed field. The above discussion 
continues to hold if C and £ are defined over an arbitrary perfect base field k, 
provided that we restrict ourselves to divisors D rational over k. This means that 
for all Galois automorphisms a £ G&\(k/k), we have an equality of divisors (and 
not just of divisor classes) oD = D. In that case, the vector spaces V and Wd are 
finite-dimensional over k, and all our work can be done over the field k. This is 
quite convenient computationally, as we do not need to work with individual points 
of D, which can themselves be defined over extensions of k. Still, our main goal in 
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working with Sym d (C) is to descend to the Jacobian J of C. In that setting, the 
above notion of rationality can fall somewhat short: a point of J(k) need not be 
representable by a divisor rational over k, since we now only require equality of the 
divisor classes D and cr(D) . This problem arises only if C itself has no points defined 
over k; in that case, the obstruction to lifting a point of J(k) to a divisor rational 
over k lies in the Brauer group of k (see Remark 1.6 of [Q). We are primarily 
interested in the case where k is a finite field (so the Brauer group is trivial), so 
we shall henceforth ignore the above distinction between rationality questions on 
the symmetric product and on the Jacobian. We merely remark that in working 
with various spaces of sections of line bundles (such as H°(£ — D)), we shall work 
over the algebraic closure k when needed, and then deduce the desired results for 
k. A typical example is the following lemma, which is a slight generalization of the 
theorem by Castelnuovo, Mattuck, and Mumford cited above. 

Lemma 2.2 ("Multiplication"). Let C be a smooth, geometrically connected al- 
gebraic curve of genus g over a perfect field k, and let £\ and £ 2 be two line bundles 
on C (both defined over k), of degrees d\ and d^. Assume that d\,di > 2g + l. Then 
the canonical (multiplication) map 

(2.2) ^■.H {£ 1 )(g, k H {£ 2 )^H (£ 1 (g,£2) 
is surjective. 

PROOF. We sketch a proof, adapting the exposition in Sections 1.3 and 1.4 of 
HJ, which treats the case £\ = £2- It is enough to prove the result after extending 
the base field from k to k, since base extension of linear maps defined over k does 
not change the dimension of their kernels or images. This principle will be used 
constantly in this article. 

We assume without loss of generality that di < and begin with the following 
exact sequence of vector bundles on C (using the notation of Q ) : 

(2.3) 0^M Cl ^ if°(£i) O O c A->0. 

Here a is the "evaluation" map, and M.£i = kera. We have used the f act t hat £\ is 
base point free, i.e., that it is generated by global sections. Tensoring (2.3) with £2 



and taking cohomology reduces our problem to showing that H 1 (Aic 1 ® £2) = 0. 
To this end, choose r = d± — 1 — g points P%, . . . , P r on C in general position (this 
is where we really need to work over k). Then, by Lemma 1.4.1 and the beginning 
of the proof of Theorem 1.2.7 of Q, we obtain the following exact sequence (where 
we have temporarily lapsed back into writing line bundles multiplicatively) |j 

r 

(2.4) o_ jCr i(^p i )_M £l ->©UOo(-P<)-»0. 

i=l 

Tensoring this sequence with £2 and taking cohomology reduces our problem to 
showing, first, that H 1 (£2(—Pi)) = for all i (as is clear by using Serre duality 
and looking at degrees), and, second, that H 1 (£ 2 <£> £r 1 (S[=i ^»)) = 0. This last 

1 This is where we use the fact that d\ > 2g + 1, so r > g, and we can guarantee that 
C\ (— Yl Pi) n °t only has a two-dimensional space of global sections, but is also base point free for a 
gene ric choice of poi nts P i . . . . P r , because it is a generic line bundle of degree g+l. We then obtain 



(2.4) by combining ( J2 . 3| ) with an analo gous exact sequence for <Ci(— Yl Pi), and using the snake 



lemma. We also note that the analog of (2.3) allows us to deduce that C 1 Pi) — J^C%(— Y, P 



This is known as the "base point free pencil trick" ; for more details, refer to the exposition in 



and to [A.CGH], pp. 126 and 151, particularly Exercise K. 
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statement is equivalent to requiring H°(1C (g> C^ 1 ® £i(— -^)) — 0' where 

we write /C for the canonical bundle on C. Since we have assumed that d 2 > 
di, we see that the line bundle £3 = K <E> £2"* ® £1 has degree at most 2g — 2. 
Therefore dimi/°(£3) < g, because we can embed if (£3) into the g-dimensional 
space if (£3 (£))), where £) is any effective divisor of degree 2g — 1 — deg£3. Since 
the r points Pi, . . . ,P r impose r > g zeros, we obtain that H a (C^(— Y2t=i ft)) = 
for generic P\, . . . ,P r , as desired. □ 



since it 



Our last result in this section is a converse of sorts to Lemma 2.2, 
describes a kind of "division" of sections of line bundles. This relatively easy 
lemma/algorithm is crucial to our results, perhaps even more so than the somewhat 



deeper Lemma 2.2 



Lemma/ Algorithm 2.3 ("Division"). Let C be a curve as in Lemma \2.3j. Let 
£l and £ 2 be line bundles (written multiplicatively in this lemma/algorithm), and 
let D\ and D2 be effective divisors on C, where everything is defined over k. (We 
allow D\ or D2 to be zero.) Assume that £ 2 (— D 2 ) has no base points (over k); 
for example, it is sufficient to have deg£ 2 — deg£>2 > 2g. Let \i : H (£1) ® 
H°(C2) — > -ff°(£i (g> £2) be the multiplication map, as before. Assume that we know 
the subspaces H°((d <g> £ 2 )(~A - D 2 )) C #°(£i ® £2), a^rf H°{£ 2 (-D 2 )) C 
i? (£2). Tften we can compute H (£%(— D%)) to be the space 

(2.5) 

{s e i/°(£i) I Vt € H°{C 2 (-D 2 )), fi(s <8 i) e ff°((£i ® £ 2 )(-Di - Da))}- 

A^ofe </ia< /or computational purposes, it is enough to let t range only over a basis 
for H°(jC.2(—D 2 )) (and not over the whole space) in equation ( [2.5| ). 



Proof. The fact that H°{L\{— D\)) is a subset of the space defined in fl2.5|) is 
immediate. As for the reverse inclusion, it follows from the fact that H (C 2 (-D 2 )) 
has no base points. To see why, extend scalars to k, and write D\ = ^ p mpP, and 
£>2 = ^2p npP, where only finitely many of the mp and np are nonzero. For any 
point P on C, base point freeness means that we can find t £ H°(jC 2 (—D 2 )) which 
(when viewed as a section of H°(C 2 )) vanishes at P to order exactly np. Thus, if 
s G H°(Ci) satisfies the condition in equation ( |2.5| ), then /i(s ® t) vanishes at P to 
order at least mp + np, from which we conclude that s vanishes at P to order at 
least mp. Since P was arbitrary, we obtain that s G H°(£i(—Di)), as desired. □ 



Remark 2.4. Lemma/ Algorithm 2JS works even if the output, if°(£i(— Di)), 
fails to be base point free. The fact that our section s is required to vanish at £>i 
may well have severe consequences for the behavior of s at other points of C . 



Remark 2.5. In Remark 3.8 below, we shall see that actually calculating 



H°(£i ® £2) as the image of fi, as in Lemma 2.2, can be done in 0(S 4 ) steps, 



if the dimensions of the vector spaces involved are of the order of 5. (In our appli- 
cations, S is a small constant times g.) We caution the reader to avoid an overly 
naive implementation of the calculation that would take time 0(5 5 ). We shall also 
see in the same remark below that the operation in Lemma/ Algorithm [2.3] can be 
implemented in time 0(<5 4 ). 
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3. Basic algorithms on divisors 

As in Section |], let C be a curve of genus g over a perfect field k, and fix a line 
bundle £ on C of large degree N, which will be at least 2g + 1, and typically some- 
what larger. Throughout this section, except briefly in Theorem/ Algorithm |3 . 14 , 



the letters D, D', and E will refer to effective divisors on C (that are rational over 
k), of degrees d, d', and e. 

We represent an effective divisor D of degree d < N — 2g by the codimension e? 
subspace Wd = H°(£ — D) of the vector space V — H°(C); alternatively, we can 
work with its annihilator W D C V* , corresponding to the span of the points of D 
(counting multiplicity) in the projective embedding of C into P(V). In later sec- 
tions, we give various choices of parameters that allow us to apply the algorithms of 
this section to compute in the Jacobian of C. For ease of following the exposition in 
this section, we advise the reader to keep in mind the application given in Section |I| 
In that setting, g > 1, and C will have the form 3£o = Cc(3-Do) for D a divisor 
of degree do > 2g; there is some benefit in even assuming that do > 2g + 1, as this 



allows us to use either Theorem/ Algorithm 3.£ or 3.13, whereas if we use do = 2g, 
we can only use the latter Theorem/Algorithm. The reader should probably use 
the value do = 2g + 1 , whence N = 3do = 6g + 3 . The values of d that will appear in 
our application are d = do{= 2g + 1, say) and d = 2do(= 4g + 2); an effective divisor 
D of degree do will be called small, and a divisor of degree 2do will be called large. 
A small divisor D will describe a point on the Jacobian J corresponding to the line 
bundle Oc(D — Do), and a large divisor D' will usually arise as an effective divisor 
equivalent to 3 -Do — D for some small divisor D. Nonetheless, we carry through our 
analysis for more general values of N and d, subject to certain inequalities. This 
allows for different versions of our algorithms, depending on which parameters and 
design choices are most suitable in a given context. 

We begin by identifying the subspaces Wd H We and Wd + We, in terms of 
divisors related to D and E. These subspaces are dual to W D + W E and W D C\W E . 
From either point of view (either thinking of Wd as a space of sections which vanish 
at D, or of W D as the span of the points of D), it is very plausible that these new 
subspaces should correspond to the divisors DUE and DDE, at least if all the 



multiplicities of points are at most 1. The content of Proposition/ Algorithm 3.2 is 



that a result of this kind holds in general, provided we make the following definition. 

Definition 3.1. If D = J2mpP and E = ^2npP are two (effective) divisors, 
then we define 

(3.1) DU£ = ^max(mp,np)P, D D E = ^ mm(m F , np)P. 

Note that if D and E are both defined over k, then so are DUE and DDE. 

Proposition/ Algorithm 3.2 (Union and intersection). Given D and E as 



in Definition 3.1, then in all cases Wd H We = Wdue (or, dually, W D + W E — 
W DUE ). If furthermore deg(Z) U E) < N — 2g, then we can recover DUE from 
the subspace Wdue, and we also obtain Wd + We — Wdhe (dually, W D (1 W E — 

Proof. The first statement is trivial, as we are requiring sections to vanish 
at P simultaneously to order at least mp and at least np. The condition on 
the degree of D U E is to ensure that H°(C — (DUE)) is base point free by 



Lemma 2.1, so that we can recover DUE. Moreover, codim Wdue = deg(Z? U E) 
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in that case. As for Wdhe, we always have Wd + We C Wdhe- If we know that 
deg(Z? U E) < N — 2g, then we can conclude equality by comparing dimensions, 
since codim(W / D + We) = codimW^n + codimW-s — codim(Vt / £) n We), and an 
analogous equality holds for the degrees of the corresponding divisors. □ 



Remark 3.3. In the context of Section |[ Proposition/ Algorithm 3.2 allows us 



to find the union and intersection of two small divisors D and E, since in that case 
the degree of D U E cannot exceed d + e = 2do = N — do < N — 2g. In case these 
divisors are disjoint, as can be measured by looking at their intersection, this gives 
a simple way to compute the sum of these divisors. We formalize this below, and 
throw in an easy algorithm to see if one divisor is contained in the other. By this 
we mean the following definition: 

(3.2) £) = V" mpP c£ = V n P P for all P,m P < n P . 

Proposition/ Algorithm 3.4 (Disjointness and inclusion). Given divisors D 
and E, of degrees d and e respectively, then: 

1. Ifd+e < N—2g, then we can test if DnE — by checking ifWo + Ws = V 
(alternatively, W D HW E — 0). In that case, D + E = DUE can be calculated 



as Wd+e = Wd H We, by Proposition/Algorithm 3.L An alternative to 
checking if Wd + We = V is to simply compute Wd H We and to see if the 
intersection has codimension d + e. 



2. If d,e < N — 2g, then we can test if D c E (in the sense of (3.2),) by testing 
whether W E C W D (dually, ifW D cW E ). 

Remark 3.5. The linear algebra calculations to which we reduce our problem 
in our algorithms can be tested easily using standard techniques of Gaussian elimi- 
nation. This involves choosing a basis for V (hence an isomorphism V = k N+1 ~ 9 ), 
and expressing everything in terms of the resulting coordinates on V. A subspace 
such as Wd can then be represented in terms of a basis for Wd, expressed in terms 
of the coordinates on V. Alternatively, one can work with W D instead of Wd, since 
for small divisors, W D has smaller dimension. The drawback to this is that using 
W D appears to be less efficient for our later algorithms, which involve the multipli- 



cation map fi. We also refer the reader to a side observation in Remark 3.8 for an 
idea of how to test whether D and E are disjoint even if d + e > N — 2g; however, 
that method requires the slightly stronger hypothesis that d, e < N — 2g — 1. Alter- 
natively, one can replace C with a line bundle of higher degree, as in the discussion 
at the end of Section ||. 

We now describe an algorithm to add two divisors in general, whether or not 
they are disjoint. We need to assume knowledge of the multiplication map 

(3.3) n : V® V = H°(£) ® k H°(£) H°(2C). 

In the case that interests us, N > 2g + 2. Then knowledge of fj, is tantamount 
to knowing the quadratic polynomials that define C in the projective embedding 
given by L, as mentioned just before equation (^J). The map fi can be represented 
explicitly in terms of bases for V and for H°(2C). The technique in the theorem 
below is fundamental, and plays a role in all the remaining algorithms of this 
article. We give a geometric interpretation of this technique after the proof of 



Proposition/ Algorithm p.9| below. In Theorem/ Algorithm 3.13 below, we give a 
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second algorithm for addition of divisors, using some similar ideas. The other 
algorithm works in a slightly more general context than the following algorithm, 
but the first algorithm is perhaps simpler to explain. 

Theorem/ Algorithm 3.6 (Addition of divisors (first method)). Let D andE 
satisfy d, e < N — 2g — 1. Then we can compute Wd+e in the following steps: 

1. Restricting to the subspace W D <g) W E = H°(C — D) H°(C - E) of 
V <g> V, we obtain from Lemma |J that fi(W D <g> W E ) = H a (2C - D - E). 
The subspace H°(2C — D — E) of H°(2C) can be computed as the span of 
n(si <S> s'j), as Si and s'j range over bases for Wd and We respectively. 



2. Using Lemma/Algorithm 2.1, we compute 
(3.4) W D+E = {se V | Vie V, fi(s®t) G H°(2£- D- E)}. 

Recall that one only needs to let t range over a basis for V . 
PROOF. In order to apply Lemma/ Algorith m [2.3| , we need to observe that 



H°(C) is base point free. This holds by Lemma 2.1, since our assumptions imply 



that N > 2.g + 1 + d > 2g. □ 

Remark 3.7. In order for knowledge of Wd+e to allow us to uniquely recover 
D + E, we need to know that d + e < N — 2g; in the setting of Section [|, for 
example, this would require both D and E to be small (and do > 2g + 1), even 
though the above algorithm correctly calculates Wd+e in case one of the divisors 



is small, and the other large. Nonetheless, for use in Theorems/ Algorithms 4.1 



and 5.5 and elsewhere, we have presented the above algorithm in the general case, 
even if Wd+e does not uniquely determine D + E. We note as an aside that this 
last case happens precisely when H°(C — D — E) has base points, and in that case 
the inclusion 

(3.5) n(H°{£ -D-E)® H°(C)) C H°(2C - D - E). 



will be strict, since H°(2£ — D — E) will never have base points, by Lemma 2.1 



(This of course does not affect the validity of our proof; in the easy half of the proof 



of Lemma/ Algorithm [2.3| , we only need the inclusion in equation (3.5) to obtain 
that Wd+e C {s as above}.) 

Remark 3.8. We discuss some practical issues in implementing the above al- 



gorithm, beyond the fact that Theorem/ Algorithm BJ3 settles the theoretical issue 
of computing Wd+e- We also discuss the running time of the algorithm. Let the 
dimensions of the vector spaces involved in the calculation be of the order of 5 
(this is approximately dimV^ = N + 1 — g, which is O(g) for all our applications). 
Then an overly naive implementation of the algorithm as stated above takes time 
0((5 5 ), but a little care brings this down to 0(8 A ). We can use some randomness 
to make the algorithm slightly faster, but still taking 0(8 4 ) steps. (We remind the 
reader that we count an operation in the field A: as a single step, taking one unit 



of time.) We note that our second algorithm below, Theorem/ Algorithm 3.13, also 
takes time 0(S 4 ). 

We first discuss why the naive implementation of Theorem/ Algorithm |3.6| runs 
in time 0(5 5 ), and how to reduce this time to 0(S 4 ). We assume that fi is 
implemented in terms of fixing a basis {ti} for V, and storing all the products 
Vij = fi(U ®tj) e H°(2C). Moreover, a subspace Wd is represented by choosing 
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a basis, and writing all the basis elements in terms of the t,. Then it takes 0(<5 3 ) 
operations to calculate each individual /i(sj ® s'j), as and s'j range over bases for 
Wd and We- Since there are 0(5 2 ) such pairs (sj,s'-), it seems that we will need 
0(5 5 ) steps merely to write down a spanning set for H°(2C — D — E), viewed as 
a subspace of the 0((5)-dimensional space H°(2£). However, we can proceed more 
quickly, at the expense of using more memory, as follows: first calculate (and store) 
each product my = /i(sj ® tj), as Si ranges over a basis for Wd, and tj ranges over 
the standard basis for V. This takes only 0(S 4 ) steps, since each individual multi- 
plication n{si ® tj) now needs only 0{5 2 ) operations, as it involves only the vyj for 
a fixed j and varying i'. Now if E = 0, we are already done; more generally, we use 
the Wij to assemble all the products /x(s; (g) s'j) in a further 0{8 A ) steps. Since these 
products will virtually always be linearly dependent, we should then use Gaussian 
elimination to reduce these products to a basis for H Q (2£ — D — E). This takes 
0((5 4 ) operations, since we have 0(S 2 ) vectors to reduce inside the 0(<5)-dimensional 
space #°(2£).g 

All of this takes some time. So in practice (at least when d + e < N — 2g), 
one should rely on the fact that the divisors D and E are likely to b e di sjoint, and 



simply compute Wd H We, as mentioned in Proposition/ Algorithm 3A. This only 
takes 0(5 3 ) operations. If the intersection has the right codimension d + e, which 
should happen rather often, then we immediately obtain Wd+e as this intersection. 
We note that in the undesirable case d + e > N — 2g, it does not seem to be 
worth the computational effo rt to check if D and E are disjoint; one might as well 
use Theorem/ Algorithm |3.6| directly. (Here is one idea of how one can adapt our 
algorithms to check that D and E are disjoint, even if d + e > N — 2g: first calculate 
H°(2C — D) = [i{W D <g> V), and similarly H°(2C - E): this works, and takes time 
<3(<5 4 ) as before. Then find the intersection H°(2C - D) n H°(2C - E) inside the 
larger ambient space H°(2£) instead of H°(£). This amounts to using 2N instead 



of N, which allows us to proceed as in Proposition/ Algorithm 3.4, since d + e is 
now less than 2N — 2g.) 

Coming back to the issue of calculating fi(Wo ® We), we note that we can 
also try to avoid calculating all 0(5 2 ) products fi(si ® s'j). Instead, we randomly 
choose 0(5) pairs of the form (s, s'), where s £ Wd and s' £ We are random 
(nonzero) elements. In that case, the resulting products /x(s ® s') are likely to 
already span H°(2C — D — E), especially if we take, say, twice as many pairs (s, s') 
as the dimension of H°(2C — D — E). With high probability, this reduces the time 
we spend on finding h(Wd (8 We), but it still involves 0(S 4 ) operations, since one 
must calculate the fi(s ® s'). On the other hand, this reduces the time spent on 
Gaussian elimination to 0(<5 3 ), but without an assurance of success as we have not 
necessarily used a full spanning set for H°(2C — D — E). 



As for the "division" calculation in step 2 of Theorem/ Algorithm 3.6, it can be 
done in 0(5 ) operations as follows: first, find a matrix M, representing a linear 
transformation from H°(2C) to k d+e , whose kernel is precisely H°(2C — D — E). 
This amounts to finding a basis of the annihilator H°(2C - D - E)* C H°(2C)*, 
and can be done in time at most 0(S 3 ) (even 0(5 2 ), if the basis for H°(2C — D — E) 



2 It would be interesting to try to use the fact that for fixed i and varying j (or vice- versa), 
the products fi(si(&s'j) are known to be linearly independent before we start Gaussian elimination. 
Still, there are adva ntag es to obtaining a basis for H° (2C — D — E) in echelon form, once we invoke 



Lemma/ Algorithm 2.3 
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is already in echelon form). Recall that we have on hand all the products v. 



i j 



n(ti (g> tj) e H°(2C), where the fj are a basis for V . We now need to solve for 
s = J2i x iti such that f° r au h J2i x iM(vij) = (0, ... ,0) G k d+e . Computing the 
various M(vij) takes 0(S 4 ) steps, and the resulting Gaussian elimination to solve 
for the tuples (. . . , Xi, . . . ) representing s takes 0(5 4 ) operations, being a system 
of 0{5 2 ) equations in 0(6) variables. We point out that we will late r still be 
able to perform similar calculations (inspired by Lemma/ Algorithm |2.3|) in 0(S 4 ) 
operations, even if we no longer have t ranging over all of V . This is necessary for 
equation (|3.7|) in Proposition/ Algorithm 3.9, as well as Theorems / Algorithms [3~To| , 



3.13, and 3.14. The idea is that we need to compute v'^ = n(ti<S>t'j) for ti as before, 
but with t'j ranging over a basis for some suitable subspace of V. Each v[j can be 
computed from the existing collection of Vy in 0(5 2 ) operations, so it takes time 
0(6 4 ) to assemble the v'^, and the calculation proceeds as before. 

Our next algorithm is a straightforward illustration of the ideas in Theo- 



rem/Algorithm 3.6. Given two divisors D = ^mpP and E = ^npP, we may 



wish to calculate the divisor 

(3.6) E\D = ^max(0, np — mp)P. 

In case the multiplicities are at most 1, then this is the usual operation on sets of 
points. If D C E, this is just subtraction of divisors. 

Proposition/ Algorithm 3.9 (Set subtraction). Given D and E, with d < 
N — 2g and e < N — 2g — 1, we can calculate We\d as follows: First, calculate 
H a (2C -E) = n(W E ® V). Then compute 

(3.7) W e \d = {s 6 V | Vfc 6 W D , p(« ® *) e H°(2C - E)}. 
PROOF. Lemma [Es gives us the surjectivity of /x : H°(C — E) ® H°(C) 



H°(2£ — E). As for (3.7), it follows from a modification of the argument in 
Lemma/ Algorith m |2.3| , since H°(C — D) has no base points. Note again that the 
computation on (|3.7D can be done effectively by letting t range only over a basis 
for W D . □ 

We now come to the most important basic algorithm in this section. It is close 



to Theorem/ Algorithm 3.6 and Proposition/ Algorithm 3.9, but we shall first pause 



to describe what the algorithm is doing geometrically. Our discussion will also shed 



light on Theorem/ Algorithm 3.6. The geometric picture is best understood in terms 
of the projective embedding of C into P(V) given by C, and in terms of ideals of 
the graded projective coordinate ring of P{V). To this end, let A = Sym* V be 
this projective coordinate ring; A is the symmetric algebra on V, and an element 
of V is a linear (degree one) polynomial whose vanishing set defines a hyperplane 
in P(V). The curve C is defined by a homogeneous ideal lc, which is generated 
in our application by elements of degree two, and these elements can more or less 
be identified with the kernel of fi : V <8> V — > H°(2C). (The quotient A/1c is the 
projective coordinate ring of C, and fi is just multiplication in this quotient.) Given 
a divisor D and its associated subspaces Wd and W D , we shall abuse notation 
and also write W D for the corresponding plane in P(V), as described just after 



Lemma 2.1. In that case, we write X\y for the ideal defining this plane; X\y is then 
generated by Wd , which consists of the linear functions vanishing on W D . As we 
have seen before, D = W D fl C. In terms of ideals, this means that D is defined by 
the ideal Id = Iw +1c = WdA + Ic- 
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Now our next algorithm implements the following operation: given a section 
/ G Wd, we know that / (viewed as a section of C) vanishes at a divisor of 
the form E = D + D' belonging to the equivalence class of C. We then wish 



to find Wd 1 , essentially by the same method as in Proposition/ Algorithm 3.9 
Geometrically, the zero set of / is a hyperplane H passing through D, and its ideal 
Ih is generated by /. Then the divisor E is the intersection H PI C, and is defined 
by Xe = Ih + Ic = fA + Ic- As a zero-dimensional scheme, we then obtain that 
D' = E\D should be defined by 

(3.8) X D , = {X E :X D ) = {aeA\ aX D C X E } = {a G A \ aW D C fA+I c }- 

Namely, functions should vanish on D' if and only if when we multiply them by a 
function vanishing on D, we obtain a function vanishing on E = D n D' = H n C. 
This fact is not so immediate if D and E have multiplicities greater than 1; it is 
essential, for example, that our divisors lie on a fixed curve, so that every extra 
order of vanishing at a point P imposes exactly one more condition on homogeneous 
polynomial functions, provided that the degree of E is not too large. At any rate, 
we are not interested in the ideal defining D' itself, but rather in the plane W D , 
spanned by D' . Dually, we only wish to determine Wd', which consists of the 
linear functions vanishing on D' . Thus we only seem to need to find the degree 
one elements of Id 1 ■ Using ( |3.8|), this leads us to the calculation that we present 



below in Theorem/ Algorithm 3.1C. (Multiplication of linear functions and taking 
the quotient by the quadratic elements of Xc is exactly the map /x.) Again, the fact 
that we can content ourselves with the degree one elements of Id 1 is not so trivial: 
in general, the vanishing set of a homogeneous ideal on projective space depends 



only on the saturation of that ideal (exercise II. 5. 10 of [Ha]; note that step 2 in 
Theorem/ Algorithm |3.6| is effectively computing a saturation). Now knowing the 
degree one elements of a saturation can in principle involve elements of arbitrarily 
high degree in the ideal. To do this algorithmically in general would probably 
involve Grobner basis techniques, which will typically be slower than our methods — 
the Grobner basis calculations can take exponential time in the worst case (although 
they are efficient for "most" calculations), and even their average case behavior is 
likely to be slower than our linear algebra calculations. The point of our techniques 
is that we can use them to justify the geometric reasoning in the above heuristic 
argument. We therefore (finally) present the following result. 

Theorem/ Algorithm 3.10 (Flipping algorithm). Let D be an effective divi- 
sor of degree d < N — 2g. Take a nonzero element f G Wd, and write the divisor 
of f ( viewed as a section of L) as 

(3.9) (f) = E = D + D'. 

Thus d! = deg-D' = N — d, and D' belongs to the divisor class of C — D. Then we 
can compute Wd 1 in the following steps: 

1. Calculate H°{2£ - D - D') = n(f <g> H°(C)). 

2. Compute Wd' = {s G H°(C) \ for all t in (a basis for) Wd, m( s ® t) G 
H°(2£-D-D')}. 

Note that if furthermore d > 2g, then knowledge of Wd 1 determines D' uniquely, 



by Lemma 2.1. 



Proof. The identity in the first step (which amounts to computing the image 



of the degree two elements of fA in the quotient A/Xc) does not need Lemma 2.2 
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but turns out to be much simpler. In fact, multiplication by / is a bijection between 
H°(C) and H°(2C — D — D'), the inverse being division by / (which does not 
introduce any poles!). Then the second step above (which is the degree one part of 
the left hand side of ( |3.§| ), whose computation involves some degree two elements 
on the right hand side) follows from Lemma/ Algorithm |2.3| , since H°(C — D) has 
no base points. □ 

Remark 3.11. In the setting of our application in Section [|, we have L — 
Oc(3Dq), N = 3do, and do > 2g. The above algorithm then allows us to go 
from a divisor D (which may be small or large, corresponding to d = do or 2do 
respectively) to a complementary divisor D' (which is then respectively large or 
small), such that D + D' is linearly equivalent to 3Dq. This is reminiscent of the 
theory behind the Weierstrass embedding of an elliptic curve via a cubic equation, 
except that we are contenting ourselves with quadratic equations and must therefore 
use a more positive line bundle for our embedding of C. In Section |5|, we go 
through analogs of our construction using smaller divisors (e.g., do = .9 + 1, and 
N = deg£ = 3g + 3), working instead with "higher degree equations," roughly in 
the sense of multiplications V <£> V <£> . . . ® V — > H°(nC). 



Remark 3.12. Theorem/ Algorithm 3.1C also runs in time 0(8 ), in the nota- 



tion of Remark 3.8. This is because the "multiplication" involved in computing 
/•*(/ ® V) takes 0(S 3 ) steps, including reducing the basis {fi(f <8> U)} for H°(2C — 
D — D') to echelon form. (We already know that the vectors {n(f^)ti)} are linearly 
independent.) It then takes another 0(S 4 ) steps to implement the second "division" 
step of Theorem/ Algorithm |3.10 , by the same discussion as in Remark 



Now that we have discussed the flipping algorithm, we use a slight variant of 
it to give a second algorithm to compute the sum of two divisors. It is not clear 



whether this is more efficient than Theorem/ Algorithm 3.6, as the new algorithm 
still requires time 0(S 4 ), although it involves slightly different linear algebra. On 
the other hand, it has slightly weaker hypotheses, and can work in the setting of 
Section [| with do — 2g. 

Theorem/ Algorithm 3.13 (Addition of divisors (second method)). Let D anc 
E be two divisors with 2g < d < N — 2g. (We do not make any assumptions on e.) 
Then we can compute Wd+e = H°(C — D — E) as follows: 

1. Choose a nonzero f € Wd, whose divisor (viewing f as a section of C) is 
(/) = D + D' ; proceed as in Theorem/Algorithm 3.1(\ to compute Wr>' ■ 



2. Also compute H°(2C - D - D' - E) = fi{f ® We). 

3. Now compute W d +e = {s G V | Vt G Wd>, m(« ® t) G H a (2C - D - D' - 
E)}. 

PROOF. This is an almost verbatim adaptation of the argument in Theo- 



rem/Algorithm 3.10 . The hypothesis on d ensur es t hat Wd and Wjj' have no 
base points. Note that, as in Theorem/ Algorithm |3.6| , we cannot hope to recover 
the actual divisor D + E unless d + e < N — 2g. □ 

We conclude this section with an algorithm which tells whether a given codi- 
mension d subspace W C V actually is of the form Wd for a divisor D. In other 
words, given a point on the Grassmannian Gd(V), we wish to identify whether or 
not it lies in the image of Sym (C). Since we have not explicitly written down 
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equations describing this subvariety of the Grassmannian, we have to do something 
cleverer than checking whether certain polynomial functions vanish. The answer 



turns out to be relatively straightforward, using Theorem/ Algorithm 3.10. Once 
again, the algorithm takes time 0(5 4 ). 

Theorem/ Algorithm 3.14 (Membership test). Let W c V = H°(£) have 
codimension d, where 2g < d < N — 2g. (In particular, N > Ag.) Choose any 



nonzero f € W , and compute W in the same way as in Theorem/Algorithm 3. It; 
i.e., 

(3.10) W = {s € V | Vi € W, |i(s®f)€/j(/®F)}. 

Then W is of the form Wd for some (uniquely determined) D if and only if the 
codimension of W in V is N — d, or equivalently if dim W' = d + 1 — g. 

Proof. If W is of the form Wd, then the resulting W' is equal to the space 



Wd 1 in Theorem/ Algorithm 3.10, where the degree of D' is d! = N — d. Then 
C — D' has degree d, and the result follows. Conversely, given any W, define a 
divisor D = ^mpP by the property that for each P, mp is the minimum order 
to which any nonzero section s 6 W vanishes at P (viewing s as a section of C). In 
other words, D is the largest possible divisor for which W C Wd, and D is the only 
possible candidate for a divisor which might give rise to W . (One easily checks that 
D is defined over k, even if the individual points are only defined over k, but we do 
not actually need this fact for our proof, and give our proof by working entirely over 
k. As usual, there is no problem in extending scalars from k to k for the proof.) 
Note that we do not yet know whether deg D = d, in contrast to our previous 
notational convention. We do know, however, that degD < d, since otherwise, 
by Lemma ^J, the codimension of Wd would be at least d + 1 , contradicting the 
inclusion W C Wd- We see in fact that degD = codimWu < d = codimiy, and 
that W = Wd if and only if deg D = d. 

Now our choice of / gives us in particular a nonzero element of Wd, so the 
divisor of / is of the form D + D' , where 

(3.11) d! — deg D' = N — deg D > N — d. 

The same reasoning as in Lemma/ Algorithm |2 . 3| then shows us that W' = Wd 1 (the 
main point is that [i{f®V) = H°(2£-D-D'), just as in Theorem/ Algorithm |3.10fc 
on the other hand, for each P, we can already find a section t £ W that vanishes 
at P precisely to the minimum possible order mp). Now suppose that deg-D' were 



different from N — d. In that case, equation (3.11) would imply that d' > N — d + 1. 
Let E be the sum of any N — d+1 points of D'; then the codimension of Wd 1 
in V would be greater or equal to the codimension of We, which we know to be 
N — d +1 (we are using the fact that N — d+1 < N — 2g + 1, so as to apply 



Lemma 2T). This would contradict our assumption on the co dimen sion of Wd 1 ', 



hence we conclude that deg D' = N — d after all, and hence by ( 3.11 ) we conclude 



that deg D = d and that W — Wd , as desired. □ 

4. The large model: Weierstrass-style algorithms on divisor classes and 

on the Jacobian 

We now describe a way to work with divisor classes on C, which is inspired by 
the usual geometric definition of the group law on an elliptic curve represented by 
the plane cubic equation y 2 — x 3 + ax + b. Actually, in many cases, we give two 
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algorithms for the basic operations, the first of which is straightforward and elegant, 
and the second of which is somewhat more efficient, and is given to illustrate various 
techniques. In Section |[ we give slightly faster algorithms, using a somewhat more 
compact representation of divisor classes. In all cases, the various algorithms require 
0(S 4 ) operations in the field k, where S = dimT^ is approximately 5g. The main 
improvement in speed in Section |^ comes from our bringing S down to a smaller 
multiple of g there. Thus the algorithms in Section || supersede the ones here, at 
the expense of elegance. The basic structure of all the algorithms is roughly the 
same in all settings. We refer to the setup in this section as the large model. 

We write D ~ E to denote that the divisors D and E are linearly equivalent, 
and we denote the equivalence class of D by [D] . We keep the notation of Section [| 
and specialize the situation to our application as follows. Take an effective divisor 
Dp of degree dp > 2g (or 2g + 1, if we wish to repeatedly use Theorem/ Algorithm 



3.6 instead of 3.13 ). Fix the ambient line bundle C — Oc(3Dp); thus N = 3dp > 6g. 
Not surprisingly, we also assume that g > 1 (but everything works with g = and 
do > 1, if one is desperate or perverse enough to use these algorithms in that case). 
We note that it may be tricky to find Dp of a specific degree, unless the curve C 
contains one or more explicitly known rational points. In the best case, dp = 2g, 
and the dimension of the space V\s5 = N+ \ — g = 5g + 1. 

An element of the Jacobian of C is a linear equivalence class of degree zero 
divisors; these can all be obtained as classes of the form [D — Dp], where D is 
an effective divisor of degree do, called a small divisor. Given such a divisor, it 
corresponds to the element xjj of the Jacobian, given by 

(4.1) xd = [D — D ], which is represented by the subspace Wd C V. 

(Thus, if do = 2g, then Wd is a (3g + l)-dimensional subspace of V.) We shall also 
occasionally make use of large divisors, namely, divisors of degree 2dp, for intermedi- 



ate results in computations. We have already addressed in Theorem/ Algorithm 3.14 
the question of how to test whether a subspace W C V actually corresponds to an 
element of the Jacobian. We now turn to the question of deciding when two such 
subspaces, of the form Wd and We, represent the same element of the Jacobian. 
This amounts to testing whether the divisors D and E are linearly equivalent. 

Theorem/ Algorithm 4.1 (Equality of divisor classes). Let D and E be di- 
visors of the same degree d < N — 2g; typically, they will be either both small, 
or both large divisors, represented by Wd and We- Choose any nonzero section 
f G Wd, whose divisor (viewing f as a section of C) is (/) = D + D' ~ L ~ 3Do- 
Then compute Wd'+e in one of the following two ways: 

Use Theorem/ Algorithm to compute the space Wd> , and then compute 



Wd'+e by Theorem/Algorithm 3.6 or S. IS. This is less efficient but easier to 



explain than the method proposed below. However, this first method further 
requires the assumption that 2g + 1 < d < N — 2g — 1, in case we use 



Theorem/Algorithm \i.b\ If we use Theorem/ Algorithm 3. It instead, then 
we can weaken the assumption to 2g < d < N — 2g . 



Alternatively, adapt the method of Theorem/ Algorithm 3.15, without explic- 
itly calculating Wd 1 ■ Namely, calculate H°(2C —D — D' — E) = fi(f (g> We), 
and then obtain W D '+e = {s £ V \ Vf G W D , m(s ® t) G H°(2C -D- 
D'-E)}. 
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Then, in either case, E ~ D (i.e., [E] = [D], meaning xe = xd on the Jacobian), if 
and only if the space Wd'+e is not zero, in which case it must be one- dimensional. 

Proof. The second method to calculate Wd'+e works by the same reasoning 
as in the proof of Theorem/ Algorithm p. 13 . Now if there exists a nonzero s <E 



Wd>+e, then its divisor of zeros (s) (viewing s as a section of C) is an effective 
divisor of degree N which contains D' + E. By comparing degrees, we see that 
D' + E = (s). However, (s) and (/) are linearly equivalent (both belong to the 
class of C), from which we obtain E ~ D. Conversely, if we have E ~ D, then 
D' + E ~ C, and it follows that Wd'+e = H° (Oc (jC — D' — E)) H°{O c ) = k. □ 

Remark 4.2. In the first method above, instead of using Theorem/ Algorithm 



3.6 or 3.12 to compute Wd'+e, we can choose the section / randomly, in which 
there is a high probability that the divisors D' and E are disjoint. In that case, 
we simply check if there are any nonzero elements in Wd 1 H We = Wd'+e- As 



mentioned in Remark 3.8, it may not be worth our while to test whether D' and E 
are disjoint; however, if the intersection is zero, then we can at least immediately 
conclude that xe ^ xd, which saves a good amount of time. Another point to 
consider is that if we wish to test the equality of many different classes [E] against 
[D] by the first method, we should probably compute Wd' just once, instead of 
choosing a random / each time. We note incidentally that the space Wd'+e that 
we compute has codimension less than the degree of D' + E, a fact that follows 
immediately from the fact that Wd'+e is either zero or one-dimensional. We refer 



the reader to Remark 3.7 for some further discussion. 



We now describe the main building block in our algorithms to effectively com- 
pute in the Jacobian of C. This algorithm is analogous to the main geometric 
construction on the Weierstrass model of an elliptic curve in the plane. Namely, 
given two points Pi, P2 on the elliptic curve, we draw the line through them and find 
its third point of intersection Q with the curve. This means that [Q] — — {[Pi] + [p2]) 
in the group law on the elliptic curve. We generalize this to the case of divisors of 
degree do on our curve C. 

Proposition / Algorithm 4.3 ( "Addfiip" ) . Consider two subspaces Wd 1 , Wd 2 
associated to two small divisors D\, D2 on C , corresponding to the classes XD t , xd 2 
on the Jacobian. The following algorithm then computes the subspace We associated 
to a divisor E such that xe — —{xd x + x d 2 ) (i-e., xjj^ + xd 2 + x e = 0): 



1. First compute Wd 1 +d 2 , either by Theorem/ Algorithm pTq or 3. IS, or if 



possible by part 1 of Proposition/ Algorithm 3.4- 
2. Now apply Theorem/ Algorithm \3.1(\ to obtain the space We corresponding 
to a "flip" E of Di + E>2, where D 1 + D 2 + E - 3D . 

Proof. Immediate. Note that step 1 is analogous to drawing the line through 
two points on a Weierstrass model elliptic curve in the plane, and step 2 is analogous 
to finding the third point on the intersection of the elliptic curve with the line. Also 



note that in step 1, our use of Theorem/ Algorithm |3.6| or 3.13 means that we do 
not need to give special treatment to the case where D\ = D2. In the Weierstrass 
model, this would mean that our line through a double point is automatically 
calculated as the appropriate tangent line. It is however simpler in the Weierstrass 
model to find the line through two distinct points. The analogous statement in 
our situation is: if we know beforehand that D± and D% are disjoint, then we 
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can avoid using the more complicated theorems/algorithms, and instead simply 



calculate Wd 1 +d 2 = Wd x H Wd 2 as in Proposition/ Algorithm |3.4[ This will save 
a lot of time. In practice, the divisors £>i and D2 are likely to be disjoint, so one 
should first calculate the intersection, and only use the more complicated algorithms 
for adding divisors in case the codimension of Wd x H Wr> 2 is n °t 2c?o- D 

Now that we have implemented the "addflip" operation f(x\,X2) = —{x\ + X2) 
on the Jacobian of C, we can describe algorithms for all the group operations. We 
begin with negation. Given a small divisor D, we seek E such that xe = —%d, 
or in other words D + E ~ 2Dq. This can be done in a straightforward way, but 
we give a slight modification which uses vector spaces of smaller dimension. This 
will make the negation algorithm more efficient, a point especially worth noting, 
since Theorem/ Algorithm pL~5| (which adds two points on the Jacobian), involves 
a negation. Similar ideas also come into play for subtraction in the Jacobian, as 
discussed in Proposition/ Algorithm p~6[ 



Theorem/ Algorithm 4.4 (Negation). Let Wo be given, where D is a small 
divisor. Then we can compute We, where xe — ~xo, in either one of the following 
two ways: 



• Apply Proposition/Algorithm 4--J to D\ — D and D2 = Dq. We of course 
keep the space Wd at hand; it corresponds to the zero element on the Ja- 
cobian. 

• Alternatively, if one is willing to hold in memory more extensive information 
on the multiplication map /i, one can find We using vector spaces of smaller 
dimension. Namely, we need to know the multiplication maps ^21 and /U32, 
where we write fi mn for the map 

(4.2) /x TOn : H Q (Oc(mD )) ® H Q (O c {nD )) -> H°(O c ((m + n)D j). 

We then proceed as follows: 

1. With respect to /121, compute the space H° (0c(2£>o — D)J as 

(4.3) {s€H Q (O c {2D )) \VteH (O c {D )), n^s ®t) eW D }. 

2. Choose any nonzero f E H° [Oc{2Dq — D)) , and note that (/) = 
D + E ~ 2Dq (viewing f as a section of Oc(2Dq) ). Then using /i32, 
compute 

(4.4) H° (O c (5D -D-E))= M32 (H°(O c (3D Q )) <g> /) = ^ 32 {V ® /). 

3. Now use /X32 again to compute We = H° (Oc(3Dq — E)) as 

(4.5) {seV \VteH°(Oc(2D -D)), m (s ®t) G H°(O c { r oD - D - E))}. 

Proof. The first method proposed is completely straightforward. As for jus- 
tifying the second method, we note that the assertion in step 1 follows from the 
usual argument, since our requirement that c?o > 2g implies that H° (Oc(Do)) 



has no base points. Equation (4.4) is analogous to the identity in step 1 of Theo- 
rem/Algorithm 3 . 1 0| . Finally, the assertion in step 3 follows since H° (Oc{2Dq — D)) 



also has no base points. □ 

Our last major algorithm is to add two divisor classes on the Jacobian; by now, 
the description is almost trivial. We note a similar algorithm for subtraction, which 
unexpectedly is slightly more efficient than the addition algorithm. 



20 



KAMAL KHURI-MAKDISI 



Theorem/ Algorithm 4.5 (Addition on the Jacobian). Given small divisors 
D\ and D 2 , or rather their corresponding subspaces Wd x and Wd 2 , we can compute 
a space We corresponding to a divisor E with xe = xd 1 + xd 2 (i.e., E ^ D\ + 
D2 — Do ) as follows: 

1. First use Proposition/Algorithm |77j[ to compute the space We 1 , where Xe> = 
-(x Dl +x D2 ). 

2. Now use Theorem/ Algorithm to find a negation E of E' . 

Proposition/ Algorithm 4.6 (Subtraction). Given Di and D 2 , we can find 
E such that xd x — xd 2 = xe in either one of the following two ways: 

• First negate D\, thereby obtaining a small divisor D' with xd> — —Xd^- 



Then apply Proposition/ Algorithm ^.l to D' and D 2 . This yields We, 



where xe = — (— Xd 1 + Xd 2 ) as desired. Note that this method only in- 
volves one negation, instead of the two negations that would be involved if 
we first negated D2, and then used the addition algorithm. 
Alternatively, we take the operations in Theorems/ Algorithms and 3. IS 



and remove certain redundant steps to streamline the subtraction algorithm. 
This amounts to the following steps: 

1. Compute H°(O c (2D - D x )) by "dividing out" Do, as in step 1 of 
Theorem/ Algorithm |^.^| . 

2. Take a nonzero f G H^iGcQDo — Dijj, viewed as a section of 
H Q (Oc{2D )). Write (/) = D x + D[, and use ^ 32 as in step 2 of 
Theorem/ Algorithm |^.^| to calculate 

(4.6) H°(O c (5D -D x -F)\- D 2 )) = fi 32 (W D2 <g> /). 



3. Analogously to step 3 in Theorem/ Algorithm 4.4, compute H°(C — 
D' 1 -D 2 ) = H (Oc{3D -D[-D 2 )) as 

(4.7) 

{seV\Vte H°(Oc(2D - Di)), ^(s ® t) e H°(O c {5D a -D x - D[ - D 2 ))}. 

4. Finally, apply Theorem/ Algorithm 3.1(\ to obtain We as the "flip" of 
the space H°{£ - D[ - D 2 ). 

Proof. The first method is completely straightforward. As for the second, it 
boils down to the facts that xjj^ = —xo 1 and that xe = ~(xd[ + xd 2 )- D 

5. Further improvements to the algorithms in Section ^: the medium 

and small models 

We now sketch two ways to modify the algorithms from the previous section, 
while speeding up the algorithms by a constant factor, so the asymptotics of our 
algorithms become a smaller multiple of 0(g 4 ). In both cases, we achieve this 
linear speedup by reducing the degree of the basic line bundle C, and with it the 
dimension of the ambient space V. 

We shall refer to our first method as the medium model. We fix as before an 
effective divisor D of degree d > 2g + 1. (It is possible, but a bit awkward, to 



work with do = 2g, but this would hamper us in our liberal use of Lemma 2.2.) 
We let C = Oc(2F>o), and represent a point xd = [F> — Do] by the space Wd, as 
before. Here degZ? = g?o; in case do = 2g + 1, we obtain that Wd is a (g + 2)- 
dimensional subspace of the (3g + 3)-dimensional space V — H°(Oc(2Do)). Since 
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5 = dim V = 3g + 3 in this case, we have improved the quantity 8 by a factor of 
around (5/3) 4 « 7.7 over the previous section; this is offset by the fact that we now 
have to do about twice as much linear algebra per operation in the Jacobian. So 
we predict an effective speedup by approximately a factor of 4. 

Our first observation regarding the medium model is that we can still use 



Theorems/ Algorithms 3.14 and 4.1 to test for membership of and equality in the 



Jacobian in the medium model. We also observe that negation is now simply 



a matter of "flipping," as in Theorem/ Algorithm 3.10. We need to make some 



modifications to the addition and subtraction algorithms, though. We first give the 



algorithm for the "addflip" operation, analogously to Proposition/ Algorithm 4.3 
The idea is virtually the same, but we need to keep track of more multiplication 
maps. We shall generally use the notation fj, mn to denote the same multiplication 
map as in equation ( |4.2| ): 

(5.1) aw : H°(mD a ) ® H°(nD ) H°((m + n)D ). 

Note that we have simplified notation in this section by writing mDo instead of, 
say, O c {mD ). 

Proposition/ Algorithm 5.1 (Addflip (medium model)). GivenWD 1 = H°(2D - 
Di) and Wd 2 — H°(2Dq — D 2 ), we calculate We, where xe — ~(£l>i + xd 2 )> as 
follows: 

1. Compute H a (4D a - D x - D 2 ) = ^ 22 {W Dl ® Wd 2 ), by Lemma WJ. 



2. Compute H°(3D - Di~ D 2 ) = {s e H°(3D ) \Vt e H° (D ), /z 31 (s®t) € 
H°(4D -Dx-D 2 )}. 

3. Take a nonzero f S H°(3Dq — D\ — D2); viewing f as a section of Oc(3Dq), 
we obtain (/) = D\ + D 2 + E, where xe is the desired class. Now compute 
H°(5D Q -D 1 -D 2 -E)= n 32 (f 8 H°(2D Q )). 

4. Obtain W E = {s € V \ Vt € H°(3D a -D x - D 2 ), fi 23 (s ®t) € H°(5D - 
D 1 -D 2 -E)}. 

The addition algorithm is then obtained by performing an addflip, followed by 
a regular flip to negate the result. Subtraction can be done similarly to the first 
method of Proposition/ Algorithm |4.6|. Alternatively, one can adapt the second 
method from Proposition/ Algorithm |4.6|: step 1 in that setting is superfluous, and 
one can obtain H°(3D — D 2 ) = ^ 2 \{Wd 2 ® H°(D )) for use in step 2 there, and 
continue with step 3. Then mod ify s tep 4 of that algorithm to resemble the last two 
steps of Proposition/ Algorithm |5.l[ We have described the alternative subtraction 
algorithm to illustrate possible techniques, but the simpler subtraction is probably 
just as quick. 

We next turn to what we shall call the small model. In principle, one can 
represent all points on the Jacobian using divisors of degree g, which can be uniquely 
described using an ambient line bundle of degree 3g. However, in order to use 
Lemma |2.2| , and to avoid some contortions, we shall use instead a divisor Dq of 
degree d n = g + 1 (or at least do > g + 1), and put C = Oc(3Dq). So in this case 
V = H (Oc(3Doj\ has dimension 2g + 4, but we need to go up to at least H°(7Dq) 



within our calculation. We use the same notation for fi as in (5.1). The algorithms 
in this setting are reasonably direct generalizations of those in Section [| and of 
those in the medium model; the main problem is that a divisor D' of degree 2do 
may not be recognizable from the space H°(C — D'), which may have base points; 
so we need to work a bit more to deal with D' by looking instead at H°(C — D') 
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for a line bundle £ of sufficiently high degree. On the other hand, the small 
model uses smaller-dimensional vector spaces and should give the fastest algorithms 
among the ones discussed in this paper. In the small model, we can test equality 



on the Jacobian using the second method of Theorem/ Algorithm 4.1 (the reader 
is invited to find an analog of the first method, using techniques analogous to 
those in Propositions/ Algorithms |5.2| |5.4[ ). We therefore content ourselves with 
the algorithms to test for membership of the Jacobian, for the addflip operation, 
and a slight improvement for negation (instead of reducing it to addflip) . Addition 
and subtraction can then be done in a straightforward way, as in Section ||. We note 
that one can obtain a slight improvement to the subtraction algorithm, similarly to 



the second method in Proposition/ Algorithm 4.6. The details are slightly lengthy, 
and are left to the reader. 

Proposition/ Algorithm 5.2 (Membership test (small model)). LetW c V 
be a codimension do subspace. Then we can test whether W — Wd for some D as 
follows: 

1. Let f be a nonzero element ofW, and form the space W+ = H43(H°(4Dq) (£> 
/)CF°(7D ). 

2. Calculate W = {s G H°(4D ) | Vt G W, fi 43 (s ® t) G W+}. 

3. Then W comes from a divisor D if and only if W' has codimension 2do in 
H°(4D ). 



Proof. This is entirely analogous to Theorem/ Algorithm 3.14. The idea is 
that we hope to have (f)=D + £>', whence W+ = H°(7D Q - D- D') and 
W' = H°(4:D - D'). We have had to use the higher-degree line bundle 0c(4£>o) 
in addition to £, in order to e nsur e that the degrees are large enough for us to be 



able to use Lemma/ Algorithm 2.3. □ 



Proposition/ Algorithm 5.3 (Addflip (small model)). Given two subspaces 
W Dl = H°(3D - Dx) and Wjj 2 = H°(3D - D 2 ), we can find W E , where x E = 
— {%Di + xd 2 )j °V modifying Proposition/ Algorithm [^. j| as follows: 

1. Compute H°(3Dq — D\ — D 2 ) by Theorem/ Algorithm 3.6, without discarding 



the intermediate result H°(6Dq — D\ — D 2 ). (It is a good idea to obtain 
H°(ADq — D\ — D 2 ) in the process; this can be done by setting up linear 
equations to simultaneously "divide" out both H°(3Do) and H°(2Dq) from 
H°(6Do — D\ — D 2 ), the former via (|3.4| ), and the latter via an analogous 
calculation that largely overlaps with ( ft-^ .) 

2. Take a nonzero f G H°(3Dq — D\ — D 2 ); so, viewing f as a section of 
O c (3D ), we have (/) = D 1 + D 2 + E for the desired E. 

3. Calculate We as 
(5.2) 

{s G H°(3D ) | Vi G #°(6.D - Di- D 2 ), fi 36 (s ® t) G m (f ® H°(6D ))}. 

Note that this method involves calculation in H°(9Dq) = H°(3C); if we have 
done the extra computation in step 1, we can limit ourselves to H (7Dq), by 
replacing 6Dq by 4Dq throughout ( |5.2| ). 

Proof. Immediate. Note the trouble that we went to because H°(3Dq — Di — 
D 2 ) is not necessarily base point free, which meant that we had to use ( [5.2| ) instead 
of doing a regular "flipping" algorithm after step 1 above. However, we still point 
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out that, generically, H°(3D — D\ — D 2 ) is base point free, since its degree is 
d > 5 + 1. □ 

Proposition/ Algorithm 5.4 (Negation (small model)). Given Wd, we can 
find We, where xe — —Xd, by using the addflip operation. Alternatively, we can 
use the following slightly faster method: 

1. Calculate H°(5D - D) = fi 23 (H a (2D ) <g> W D ). Then calculate H°(2D - 
D) = {s € H°(2D Q ) \ Vt€V, fi2 3 (s <8> t) € H°(5D - D)}. 

2. Take a nonzero f E H°(2D Q - D), and compute H°(6D - D - E) = 

3. Finally, compute W E = {s € H°{SD ) | V* € Wu, M3s(s <g> t) € H°(6D - 
D-E)}. 



Proof. This is just like Theorem/ Algorithm |4.4| , but we have included the 
algorithm to show in step 1 the technique of going from H° (3Dq— D) to H°(2Dq—D) 
by virtue of first "going up," then "going down." This is because the degree of 
Do is too small for us to automatically be able to "divide" by H°(Dq). If we 
were originally careful enough to select D so that H°(D ) were base point free, 



we could have begun as in Theorem/ Algorithm 4.4. However, we cannot in any 
way guarantee that H°(2Do — D) is ba se point free, since D is arbitrary; hence, 
concluding with the computation in (|4.5|) was never an option in the setting of the 



small model. □ 

We conclude this paper with a brief discussion of converting points on the Jaco- 
bian between their representations in the different models. The first observation is 
that it is easy to pass between two representations of the same (as always, effective) 
divisor D in terms of spaces Wd of sections of two different line bundles C\ and 
£2- (Typically, d = Oc{niDo) and £2 = Oc{n-iDo) for a fixed Do and integers 
ni,7i2.) So the problem is to pass from a knowledge of H°(C\ — D) to one of 
H°(C2 — D ). Let us assume for a moment that deg£i > 2g+ 1 + deg.D. Then take 
auxiliary line bundles C Xl CJ 2 of degree at least 2<? + l, such that C\ +£[ = £2 +£'2': 
here, addition of line bundles really refers to their tensor product. Then, using 
multiplication of sections in H°(Ci — D) and if°(£' 1 ), we can obtain the space 
H°(C X + £[ -D) = H°(£ 2 +C' 2 -D). We can then "divide" by H°(C' 2 ) to obtain 



H°(C 2 — D), as desired. This is similar to step 1 in Proposition/ Algorithm 5.4. Of 
course, if the degree of £1 is sufficiently larger than the degree of £2, we only need 
to perform a single division, without first raising the degree using £' 1 . Similarly, if 
the degree of £2 is large compared to that of £1, then a single multiplication step 
is sufficient. 



The above discussion seems to require the use of Lemma 2.2 for the multiplica- 
tion step. We can modify the procedure, though, to work whenever H°(£i — D) is 
base point free (such as when deg£i > 2g + dcg\D). The idea is to take a nonzero 
section / e H°{C\ — D), whose divisor (viewing / as a section of C\) is D + D' . 
Here we caution that the degree of D' may be large, so that H°(Ci — D') may well 
have base points. To get around this, we take an auxiliary line bundle £' of degree 
at least 2 3 +l + degL>', and multiply / by H°(C) to obtain H°(Ci +£' —D — D'). 
Dividing out H°(Ci - D) then yields H°(C - D'). We can then multiply / by 
_ff°(£' 1 + £'), where £[ has suitably large degree, and then divide by H°(C — D') 
(which is now base point free), to obtain iJ°(£' 1 + £1 — D) even in the case where 
we could not use Lemma ll3 as in the above paragraph. We note that throughout 
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all these computations, the degrees of the intermediate line bundles are at most 
0(max(deg d , deg C 2 , g ) ) • 

Now that we have full control over the ambient line bundle C used to represent 
individual divisors D, we shall always assume that the degree of C is sufficiently 
large, and use C to represent all divisors (so D is given by Wd — H°(C — D), 
unless stated otherwise). We now discuss how to change the basepoint Dq used 
to map a divisor D to the point xd = [D — Dq] on the Jacobian. It is always 
easy to add an effective divisor E to Dq, since [D — Dq] = [{D + E) — (D + E)], 



so we can use Theorem/ Algorithm 3.6 to replace Wd with Wd+e- In particular, 
we can also assume that degZ?o > 2g + 1. Thus the main question that remains 
is how to replace Dq by a new basepoint Eq of smaller degree. This means that 
given D, we wish to find E such that [D — Dq] = [E — Eq]; in other words, we 
seek an effective divisor E ~ D + Eq — Dq . Writing D\ = D + Eq (which we 
compute as usual by Theorem/Algorithm [3.6[ and whose degree is even larger than 
deg D = degDa > 2g + 1), we have reduced our question to the following result, 
which leads to an efficient algorithm for the Riemann-Roch problem on C. Like 
our other algorithms, this one requires 0(max(deg Dq, deg D\, g) 4 ) field operations 
in k. Remember that there is no loss of generality in letting C have large degree 
N > 2g+l + dcgD 1 . 

Theorem/ Algorithm 5.5. Let deg£ = N, and assume given (effective) di- 
visors D\ and Dq, whose degrees lie between 2g + 1 and N — 2g — 1. Then we can 
compute the space H (D\ — Dq), and with it (if the space is nonzero) an effective 
divisor E ~ D\ — Dq. The procedure is: 



1. Use Theorem/ Algorithm 3.1L to compute D[ (specifically, to computeW^ — 
H Q {£ - D[)), where D x + D[ ~ C. Thus £ - D[ - D ~ Di - Dq, and 
an explicit isomorphism from H (D\ — Dq) to H°(C — D[ — Dq) is given 
by multiplication by the section f of C with (/) = D\ + D[ used in the 
calculation of Wd' ■ 

Compute H°(2£ — D[ — Dq) = fi(Wn' <8 Wd q ), and use it to compute 



Wr>> +d — H (Di — -Do); fl s in Theorem/Algorithm 3.6. 
3. A divisor E as above exists if and only if we can find a nonzero g € Wd' +d > 
in which case we view g as a section of C and see that its divisor is (g) = 
D[ + Dq + E. Then calculate 

(5.3) 

W E = {s S H°(C) | Vf G H°{2£ - D[ - £>„), n'(s ® t) € fi'(g ® H°{2£))}. 
Here fx' : H°(C) ® H°(2C) -> H°(3£) is the multiplication map. (We did 



not use the notational convention of (5.1), since we are not assuming that 
C is a multiple of Dq.) 

Proof. We know that fj,'(g <8> H°(2C)) = H°(3C - D[ - Dq - E), and our 
generous assumptions about degrees ensure that H°(2£ — D[ — Dq) is base point 
free. Note that we do not assume that the smaller space H°(C — D[ — Dq) is base 
point free; indeed, its degree is degl?i — deg Do, which may be quite small. The 
rest of the proof is standard by now. □ 
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